[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Review requested on issue #2410 (SSL client certs option)

From: Karl Fogel <kfogel_at_red-bean.com>
Date: Sun, 29 Jun 2008 18:53:25 -0400

Senthil Kumaran S <senthil_at_collab.net> writes:
> Karl Fogel wrote:
>> @@ -1232,6 +1244,10 @@
>> with the normal one here. */
>> else
>> #endif
>> + /* ### RFC: Should the 'use_client_certs' condition also cover the
>> + ### PKCS#11 case above? What about the "PKCS#12" referred to
>> + ### in libsvn_subr/config_file.c:svn_config_ensure()? */
>> + if (use_client_certs)
>> {
>
> I tested with a PKCS#12 client certificate, it works perfectly.

Thank you for the patch and the testing summary, Senthil. I'm looking
at Joe Orton's mail now, and seeing that we may end up resolving this
issue a completely different way, but I'm still glad to know this patch
got tested, just in case we have to use it after all.

-K

> Following is a summary of what I did to test this patch:
>
> My apache config parameters
>
> <apache-config>
> <Location /svn/repos>
> DAV svn
> SVNPath /tmp/repos
> AuthType Basic
> AuthName "TEST SVN repository"
> AuthUserFile /etc/svn-auth-file
> Require valid-user
> <IfDefine SSL>
> SSLRequireSSL
> SSLRequire %{SSL_CLIENT_S_DN_O} eq "CollabNet Inc" and
> %{SSL_CLIENT_S_DN_OU} in {"Administration"}
> </IfDefine>
> </Location>
>
> SSLCertificateFile /usr/local/ssl/CollabCA/server/certs/serverWEB.crt
> SSLCertificateKeyFile /usr/local/ssl/CollabCA/server/keys/serverWEB.key
> SSLCACertificateFile /usr/local/ssl/CollabCA/CollabCA.crt
> SSLVerifyClient optional
> SSLVerifyDepth 2
> </apache-config>
>
> First run with default servers file:
>
> <snip>
> $ svn co https://localhost/svn/repos wc
> Authentication realm: https://localhost:443
> Client certificate filename: /usr/local/ssl/CollabCA/user/certs/stylesen.p12
> Passphrase for '/usr/local/ssl/CollabCA/user/certs/stylesen.p12':
> Authentication realm: <https://localhost:443> TEST SVN repository
> Password for 'stylesen':
> A wc/file1
> A wc/file2
> Checked out revision 2.
> </snip>
>
> Second run with "ssl-use-client-certs = no" servers file:
>
> <snip>
> $ svn co https://localhost/svn/repos wc
> Authentication realm: <https://localhost:443> TEST SVN repository
> Password for 'stylesen':
> A wc/file1
> A wc/file2
> Checked out revision 2.
> </snip>
>
> NOTE: This patch is valid only if you have "SSLVerifyClient optional"
> in your apache config. If you have something lie "SSLVerifyClient
> require" it will result in following error:
>
> <snip>
> ../subversion/libsvn_ra_neon/util.c:603: (apr_err=175002)
> svn: OPTIONS of 'https://localhost/svn/repos': SSL negotiation failed:
> SSL error: sslv3 alert handshake failure (https://localhost)
> </snip>
>
> Thank You.
> --
> Senthil Kumaran S
> http://www.stylesen.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: dev-help_at_subversion.tigris.org
Received on 2008-06-30 00:54:13 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.